Krebs on Security

In-depth security news and investigation

Adobe, Microsoft Issue Critical Security Fixes

Adobe and Microsoft today each released software updates to plug dangerous security holes in their products. Adobe pushed patches to fix holes in Adobe Acrobat/Reader as well as Flash Player. Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system.

A majority of the patches released by Microsoft are fixes for products that run in enterprise environments. Chief among the consumer-facing Microsoft updates is cumulative patch for Internet Explorer that fixes a pair of flaws in all supported versions of IE. This patch also includes the emergency update that Microsoft released earlier this month to address a zero-day vulnerability in IE. Microsoft also issued fixes for several Office vulnerabilities. This month’s batch also includes a .NET fix, which in my experience is best installed separately.

Adobe released a fix for its Flash Player software that corrects at least six security flaws. The Flash update brings the media player to v. 13.0.0.214 on Windows and Mac systems, and v. 11.2.202.359 for Linux users. To see which version of Flash you have installed, check this link.

IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In addition, there is an update available that fixes at least 11 security holes in versions of Adobe Acrobat and Adobe Reader. Windows and Mac users should update to the latest version (11.0.07).

34 comments

Still on Windows XP and will be till something packs up or malware nukes my Dell desktop. Anyhow ran windows update for a laugh and it gave me Mays version of KB 890830 Malicious Software Removal Tool which is better than nothing i guess.

“Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system.”

and

“Adobe released a fix for its Flash Player software that corrects at least six security flaws.”

and updates all too often obviate our specific Settings, do other sneaky unknown-until-too-late things, and yet we are supposed to have faith in and trust these programs issued by such flawed companies????

The updates were for Office 2007 or higher, or other Microsoft software on your system that is still in its support lifetime. You won’t see any updates for the core operating system, which is really were a lot of the nastiest issues can come from.

Heads-up for those of you who took preemptive measures on the recent IE zero-day: part of the attack depended on the VGX.DLL file, and one of the workarounds was to modify the Access Control List to deny access to that file.

If you used that specific measure (changing the ACL for the file, as opposed to unregistering it), then today’s MS14-021 update won’t be able to install until you undo your ACL change. To do that, start a command-line window using Run As Administrator, and run this command:

I applied today’s batch to Win8.1 systems, some with 64-bit Office 2010. The “Restarting…” screen was taking a while, but they got through it.

“IE10/IE11 and Chrome should auto-update their versions of Flash.”

IE10 or IE11 will auto-update their versions of Flash on Win8.x, but not on Win7. Flash is bundled with Win8 and therefore Microsoft ships its updates to Win8 via Windows Update. Not so with Win7; it’s up to either the user, or Adobe’s own updater.

On the topic of Adobe, let me suggest that any Reader users 1) make sure they’re on Reader 11, 2) disable Adobe’s JavaScript feature in the Edit > Preferences panel, and 3) enable Protected View for PDFs from all sources in the Security (Enhanced) panel, like this:

There are, but what’d be really interesting is tracking the number of vulnerabilities fixed each month, since many updates actually fix multiple vulnerabilities. However, since Microsoft is closed source, there’s no truly accurate way of tracking this without trusting the vendor to provide truthful information (which is rarely, if ever, a good idea).

Microsoft will occasionally drag out the number of patches as a way of crowing about how secure they are compared to open source software, at which point the Microserf receives a boot to the head for not having provided full disclosure (e.g. source) to verify claims.

Note that support for Windows 8.1 (not Windows 8.1 Update) ends next month.
It would pay folks using Windows 8 to check which exact version they have, if they do not already know.
Around and around it goes . . .

Is anyone else having issues pushing out the latest version of Reader? I extract the 5 files from AdbeRdr11007_en_US.exe, one of those is AcroRead.msi, if i run this .msi it installs Reader 11.0.00 not 11.0.07… I’ve tried it on a separate machine too and same result, seems to be packaged different from 11.0.06

I have the Maxthon web browser, when I go to update it says “You have version 11,3,300,271 installed” so I went to the Adobe Download Center and unchecked the McAfee box, and clicked to download the new version, and it initialized and downloaded, and said it was finished, and returned me to the prior page. But when I go to check my version it still says “You have version 11,3,300,271 installed” I need help! It is not working!

Something else is going on at Adobe. Last night my Creative Cloud menu icon was diminished indicating it wasn’t ‘available.’ (Am a graphic designer) When I attempted to review the apps, nothing was there. It wanted me to sign in?? Then I did got a window that said ‘site unavailable.’ Went to Adobe’s main site and tried to log in there. Again, got the ‘Site unavailable’ and a small notice that said ‘site down for maintenance.’ This was around 10 pm. As of 6:30 am this morning, still nothing can be accessed. Interestingly, just before I discovered this last night, I got a prompt to Update Acrobat Reader, which I did.

Because to get the security of Windows 7 you need most of the features of Windows 7. As maligned as Vista was, many of the changes that took place under the hood were security oriented (though the worst were simply change for the sake of change, or change to force you to purchase new hardware).

They have Windows 7 Starter which is a stripped down version of Windows 7, to fill the niche XP provided with low powered systems. To say its gone over like a lead balloon is an understatement.

If I’m not mistaken, netbooks that shipped with Windows XP Home (as well as those that shipped with Windows 7 Starter) can easily run Windows 7 Home Premium and better. (You’d probably have to max out the netbook’s RAM, though.)